Merge branch 'PHP-5.4' of git.php.net:php-src into PHP-5.4

Author: laruence

NEWS

@@ -10,6 +10,9 @@ PHP                                                                        NEWS
   . Fixed bug #65818 (Segfault with built-in webserver and chunked transfer 
     encoding). (Felipe)
 
+- Exif:
+  . Fixed crash on unknown encoding. (Draal)
+
 - FTP:
   . Fixed bug #65667 (ftp_nb_continue produces segfault). (Philip Hofstetter)
 
@@ -22,7 +25,7 @@ PHP                                                                        NEWS
   . Fixed bug #64230 (XMLReader does not suppress errors). (Mike)
 
 
-?? ??? 2013, PHP 5.4.21
+17 Oct 2013, PHP 5.4.21
 
 - Core:
   . Fixed bug #65322 (compile time errors won't trigger auto loading). (Nikita)

ext/date/php_date.c

@@ -1362,6 +1362,7 @@ PHPAPI signed long php_parse_date(char *string, signed long *now)
 
 	parsed_time = timelib_strtotime(string, strlen(string), &error, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper);
 	if (error->error_count) {
+		timelib_time_dtor(parsed_time);
 		timelib_error_container_dtor(error);
 		return -1;
 	}

ext/exif/exif.c

@@ -2643,14 +2643,15 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 			} else {
 				decode = ImageInfo->decode_unicode_le;
 			}
+			/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
 			if (zend_multibyte_encoding_converter(
 					(unsigned char**)pszInfoPtr, 
 					&len, 
 					(unsigned char*)szValuePtr,
 					ByteCount,
 					zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
 					zend_multibyte_fetch_encoding(decode TSRMLS_CC)
-					TSRMLS_CC) < 0) {
+					TSRMLS_CC) == (size_t)-1) {
 				len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
 			}
 			return len;
@@ -2663,14 +2664,15 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 			*pszEncoding = estrdup((const char*)szValuePtr);
 			szValuePtr = szValuePtr+8;
 			ByteCount -= 8;
+			/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
 			if (zend_multibyte_encoding_converter(
 					(unsigned char**)pszInfoPtr, 
 					&len, 
 					(unsigned char*)szValuePtr,
 					ByteCount,
 					zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC),
 					zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC)
-					TSRMLS_CC) < 0) {
+					TSRMLS_CC) == (size_t)-1) {
 				len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
 			}
 			return len;
@@ -2700,16 +2702,16 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
 {
 	xp_field->tag = tag;	
-
-	/* Copy the comment */
+	
+	/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
 	if (zend_multibyte_encoding_converter(
 			(unsigned char**)&xp_field->value, 
 			&xp_field->size, 
 			(unsigned char*)szValuePtr,
 			ByteCount,
 			zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
 			zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_unicode_be : ImageInfo->decode_unicode_le TSRMLS_CC)
-			TSRMLS_CC) < 0) {
+			TSRMLS_CC) == (size_t)-1) {
 		xp_field->size = exif_process_string_raw(&xp_field->value, szValuePtr, ByteCount);
 	}
 	return xp_field->size;

ext/exif/tests/bug62523_1.jpg

@@ -0,0 +1,18 @@
+--TEST--
+Bug 62523 (php crashes with segfault when exif_read_data called)
+--SKIPIF--
+<?php
+extension_loaded("exif") or die("skip need exif");
+?>
+--FILE--
+<?php
+echo "Test\n";
+var_dump(count(exif_read_data(__DIR__."/bug62523_1.jpg")));
+?>
+Done
+--EXPECTF--
+Test
+
+Warning: exif_read_data(bug62523_1.jpg): File not supported in %sbug62523_1.php on line %d
+int(1)
+Done

ext/exif/tests/bug62523_1.phpt

@@ -0,0 +1,16 @@
+--TEST--
+Bug 62523 (php crashes with segfault when exif_read_data called)
+--SKIPIF--
+<?php
+extension_loaded("exif") or die("skip need exif");
+?>
+--FILE--
+<?php
+echo "Test\n";
+var_dump(count(exif_read_data(__DIR__."/bug62523_2.jpg")));
+?>
+Done
+--EXPECT--
+Test
+int(76)
+Done

ext/exif/tests/bug62523_2.jpg

@@ -0,0 +1,18 @@
+--TEST--
+Bug 62523 (php crashes with segfault when exif_read_data called)
+--SKIPIF--
+<?php
+extension_loaded("exif") or die("skip need exif");
+?>
+--FILE--
+<?php
+echo "Test\n";
+var_dump(count(exif_read_data(__DIR__."/bug62523_3.jpg")));
+?>
+Done
+--EXPECTF--
+Test
+
+Warning: exif_read_data(bug62523_3.jpg): File not supported in %sbug62523_3.php on line %d
+int(1)
+Done

ext/exif/tests/bug62523_2.phpt

@@ -0,0 +1,14 @@
+--TEST--
+PHP crash when zend_multibyte_encoding_converter returns (size_t)-1)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+$infile = dirname(__FILE__).'/exif_encoding_crash.jpg';
+$exif_data = exif_read_data($infile);
+echo "*** no core dump ***\n";
+?>
+===DONE===
+--EXPECT--
+*** no core dump ***
+===DONE===

ext/exif/tests/bug62523_3.jpg

@@ -127,6 +127,9 @@ static char* getPreferredTag(char* gf_tag)
 	int grOffset = 0;
 
 	grOffset = findOffset( LOC_GRANDFATHERED ,gf_tag);
+	if(grOffset < 0) {
+		return NULL;
+	}
 	if( grOffset < LOC_PREFERRED_GRANDFATHERED_LEN ){
 		/* return preferred tag */
 		result = estrdup( LOC_PREFERRED_GRANDFATHERED[grOffset] );

ext/exif/tests/bug62523_3.phpt

@@ -2639,7 +2639,7 @@ static void php_pgsql_fetch_hash(INTERNAL_FUNCTION_PARAMETERS, long result_type,
 					Bucket *p;
 
 					fci.param_count = 0;
-					fci.params = safe_emalloc(sizeof(zval*), ht->nNumOfElements, 0);
+					fci.params = safe_emalloc(sizeof(zval***), ht->nNumOfElements, 0);
 					p = ht->pListHead;
 					while (p != NULL) {
 						fci.params[fci.param_count++] = (zval**)p->pData;

ext/exif/tests/exif_encoding_crash.jpg

@@ -1,5 +1,9 @@
 --TEST--
 Test disk_free_space and its alias diskfreespace() functions : basic functionality
+--SKIPIF--
+<?php
+if (getenv("TRAVIS") === "true") die("skip inaccurate on TravisCI");
+?>
 --INI--
 memory_limit=32M
 --FILE--

ext/exif/tests/exif_encoding_crash.phpt

@@ -40,7 +40,7 @@
 ZIP_EXTERN(void)
 zip_source_error(struct zip_source *src, int *ze, int *se)
 {
-    int e[2];
+    int e[2] = { 0, 0 };
 
     if (src->src == NULL) {
     }